Missing Authorization in Drupal Authenticator Login Affects Forceful Browsing
CVE-2025-31681

9.8CRITICAL

Key Information:

Vendor: Drupal
Status: Authenticator Login
Vendor: CVE Published:; 31 March 2025

What is CVE-2025-31681?

A Missing Authorization vulnerability in the Authenticator Login module for Drupal allows attackers to perform Forceful Browsing. This security flaw affects versions from 0.0.0 up to 2.0.5, potentially leading to unauthorized access to sensitive functionalities within web applications. It is crucial for users of the affected versions to upgrade to 2.0.6 or later to mitigate the risk of exploitation.

Affected Version(s)

Authenticator Login 0.0.0 < 2.0.6

References

https://www.drupal.org/sa-contrib-2025-009

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

Ahmed Raza

Damien McKenna

Ivo Van Geertruyen

Juraj Nemec

JSON